worker_processes 1;

env KEYCLOAK_CLIENT_SECRET;

events {
  worker_connections 1024;
}

http {
  resolver 192.168.21.2 ipv6=off;

  lua_package_path "/usr/local/openresty/lualib/?.lua;;";

  lua_shared_dict discovery 1m;
  lua_shared_dict jwks 1m;
  lua_shared_dict sessions 10m;

  include       mime.types;
  default_type  application/octet-stream;
  sendfile        on;
  keepalive_timeout  65;

  server {
    listen 80;

    # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
    #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
    #  return 301 $request_uri/;
    # }

    # Public route: /auth selection page, no login required
    location /auth {
      proxy_pass http://main-website:3000;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    location = /redirect_uri {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;
    }

    # Protected root route (main site)
    location / {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      proxy_pass http://main-website:3000;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Protected demo route
    location /lawfirm/demo1/ {
      access_by_lua_file /usr/local/openresty/nginx/conf/auth.lua;

      rewrite ^/lawfirm/demo1(/.*)$ $1 break;
      proxy_pass http://ld1:3000;

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Add more locations as needed for other demos
  }
}